Digital Security - as it applies to Single Touch Payroll
With the advent on STP, very sensitive and private information has the potential to be floating about through the Internet. With the constant cybersecurity attacks as well as the growing use of the Internet as the main communications channel between employer and employee, it's of utmost importance that an organisation is both aware and vigilant of their own security posture.
Security for Powerforce Software (the developer)
Powerforce as the developer of the application is obliged to ensure that as much as is possible to do with software, that security and auditability are bound around the data representing employee and payroll information for its customers, so that the customer is given some surety of inbuilt safe-guards in the software being used.
On a totally technical level, the ATO has rather stringent requirements of payroll providers to ensure the adherence to highest levels of security at both the personnel level and the software itself.
Fortunatelly, we have guidelines in the form of standards to help focus on the major topics that need attention. These are broadly reflected in the ISO-27001 digital security guidelines.
ISO27001 is an industry standard, set by the International Organisation for Standardisation (ISO), which specifies requirements for establishing, implementing, maintaining and continually improving an information security management system.
Powerforce has adopted a self-certification process based on the following documents as a guideline.
- Data Protection Self Assessment Worksheet Instructions
- Guidance: Allows agencies to make an assessment of their digital security controls against those stipulated in ISO27001
- Effective information security and ICT security
The implementation requirements for Powerforce are to be viewed from 2 points of view:
- Powerforce the company like any other organisation must ensure the integrity of its own company data, and hence the standards guidelines apply
- Powerforce the software developer is obliged to provide funcionality in its products that support their end client in themselves being able to conform to the security requirements as set out in the guidelines.
Security for Powerforce Customers (the client)
The advancement of the open web into your business processes demands that companies take a new, modern and committed approach to the safety of their company data.
Powerforce (the company) clients will be the executors of the payroll functions, and need to understand their obligations to safeguard employee information from unauthorised access. Powerforce (the software) is a tool that you use to run your business, and it is not incumbent on Powerforce to enforce your security obligationas as expressed in the ISO guidelines. Powerforce will however offer you any assistance that you may request to help you verify your obligations towards the safe-guard of your data.
In this case, that access is not only from external sources, it is also from people internal to the organisation. The ISO guidelines broadly outline the following topic items as requirements for the successful fullfilment of those obligations. These obligations are the responsibility of the organisation and its service providers ( be they internal IT or external service providers).
For clients that use external IT support on an as needed basis
- it is incumbent upon you the company to succinctly express those requirements to your service providers.
- it is the responsibility of you the 'employer' to ensure your IT infrastructure has satisfactory internal and external access controls in place to mitigate security breaches through cyber elements like 'malware' and 'ransomware'.
- we would recommend highly that your IT service provider (internal or external) is familar with all the Security requirements as outlined in the above linked documents.
Recommendations to enhance data security over Powerforce Database
- Powerforce installations prior to STP have recommended the creation of Windows User Groups so as to limit / manage access to the application at the Operating System level.
- The application itself has a username and password mechanism, which has been enhanced to that you will have to explicitly assign access to the STP module on a login id basis.
- We would further recommend that once the STP module is installed, that you direct IT to access control your specific Windows usernames to explicit access to the STP sub-directory (which holds the new STP data tables). This will give you a greater level of control over physical data access to employee and STP related data.
- For those clients whose business security policies demand it, we can also enhance the STP module and database tables to work under a 'encrypted at rest' mechanism, which encrypts your data on the disk. This will prevent any competent IT person from using sophisticated debugging tools to read raw data tables.